Koa
Monthly
Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Koa is expressive middleware for Node.js using ES2017 async functions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.